I used to have my first blog ever registered through duck dns. Reused an old hp desktop a friend of mine had found for me at the nearest waste collection facility as server. A golden era for me.
I don’t see much issues with privacy or security with a service like this.
They don’t get traffic going through them. They mainly exist to point to an IP. With enough data they have information on how an ISP rotates IP’s and who they’ve gone to.
In your case, with a WireGuard VPS, all traffic goes through the server. That’s a very different setup.
In their case, a request goes to them at a regular interval and they update the IP the dns record points to. That’s it.
When someone requests the domain, they simply respond with an IP. At most, if there’s little caching, they could get frequency of usage.
There's no routing of the actual traffic, only basic DNS forwarding. Of course it's not meant for business production services, but it's decent for homelab. Especially considering for how long has DuckDNS been operating.
My biggest concern would be someone scanning CT logs to find hosts with hobbyist grade security. That’s not meant to insult hobbyists, but they might be a juicy target for immediately exploitation after a zero day hits. To be clear, it’s the same for any well known DynDNS domain.
Besides that, I looked at every DynDNS system I could find back in the summer. There were only 3 that I was happy with; Hurricane Electric, Google Domains, and a pair of self hosted Bind servers.
If you want the best, simple solution, and it doesn’t need to be completely free, register a domain with Google domains. If anyone knows of limitations, let me know.
I prefer to use Cloudflare for my DNS including dynamic DNS. I happen to have my domains registered through them but it is not a requirement to use their free tier.
The thing I find most interesting about this post is the Reddit login deprecation.
Reddit provides an OAuth2 IdP service... but is unhappy when platforms use it? I'm genuinely curious why they provide this service if their legal team then actively chases platforms that use it to get them to desist?
They're pretty explicit in the email, the service has to be related to Reddit.
OAuth login to edit all your comments in a react CMS? OK. OAuth login to to update you server dynamic ips? Not really Reddit focused.
Really more of a failure on the API key generation page where you should (perhaps now do) have to click a "Yes, my thing extends or uses data from reddit" to get a key.
What other auth system should they have used to allow 3rd party login, that some how also handles site intent?
Dynamic dns domains are used heavily by spammers as a free way to get new domains to spread links on social media sites (to evade domain bans). Typically these are fake dating site scams targeted at men. I’m dealing with this now at at one of the top social media companies.
And? Not sure what I'm supposed to take from this. Domains can be had for so cheap, the fact that it's even a consideration in the spam profile is kinda... :/.
This is not unique to duckdns. My own domains with completely innocent content get flagged as unsafe by the big gatekeepers. This is a growing problem for any of us outside their walls.
> cybercriminals using the service have tarnished its reputation
Yeah, that's the only reason I'd heard of Duck DNS before - I got some "please sign in to your bank account" text with a link and I saw the domain in the URL was duckdns.org so I looked into it. With behavior like that on their domain, I'd imagine many browsers, firewalls, etc will block them.
Shout out to DuckDNS; Thank You! Have been using it for a few years now without a hitch!
Although its free, they accept donations via Patreon[0], Paypal etc. Running and maintaining services is not free, so if you're using DuckDNS, contributing would guarantee that the service survives into the future!
Duck dns is very usefull. I use to host a demo from a CRM portal my company sold at my house.
The problem was that I had dynamic IP and my isp shit router did not suport DNS services. So I made a simple script that would log in and acess the router information page, get the public IP and update in the DUCK dns with a curl.
Yeah most routers come with a fixed list of services, when they really mean is a list of protocols.
I have a Huawei Fibre ONT, that only listed DynDNS, NoIP, and a few others. I could get away by using a NextDNS DNS override, and hosting my own script that forwarded the API call to the actual DDNS provider.
I currently use no-ip free tier for this. My only complaint with no-ip free is that I have to login and verify that I am still using it after a while. Does Duck DNS do this too?
this is good. there should be more services to pool DNS, email addresses, and cell phone numbers. this should be a basic tool for the hacker to get around the muggle.
Also, AWS lets you ask for a static IP access (EIP) which you don't pay for so long as it is attached to something (an ec2 instance, a load balancer, etc).
A few friends and I wrote a simple dynamic DNS service called ddns[1] around a 0-dependency nodejs script that manages NSD zone files. It's pretty easy to self-host an ns for your own needs. The most interesting feature it has is the ability to register an unused entry without authentication (or with an adminpassword) but update it with a password set on first registration. This allows me to bake that password into a cronjob on any given server without the risk that it can hijack DNS from other servers if it is compromised. My company now uses it (plus NSD zone transfer) to drive our DNS layer for server to server communications.
One of my friends runs a public instance here, with no guarantees offered.[2]
50 comments
[ 2.4 ms ] story [ 111 ms ] threadI ended up going for my own VPS with a WireGuard server for my home server to connect to.
They don’t get traffic going through them. They mainly exist to point to an IP. With enough data they have information on how an ISP rotates IP’s and who they’ve gone to.
In your case, with a WireGuard VPS, all traffic goes through the server. That’s a very different setup.
In their case, a request goes to them at a regular interval and they update the IP the dns record points to. That’s it.
When someone requests the domain, they simply respond with an IP. At most, if there’s little caching, they could get frequency of usage.
A rouge DNS can reply to select queries with an IP of a middleware that can TLS proxy and/or MitM that traffic.
We built such a thing mostly for anti-censorship purposes (bypass IP blocks): https://github.com/celzero/midway#demo
Besides that, I looked at every DynDNS system I could find back in the summer. There were only 3 that I was happy with; Hurricane Electric, Google Domains, and a pair of self hosted Bind servers.
If you want the best, simple solution, and it doesn’t need to be completely free, register a domain with Google domains. If anyone knows of limitations, let me know.
Namecheap maxes out at 150 DynDNS hosts :-(
You can keep jumping to new gimmick first year deals on unusual TLDs but they are often considered spammy and always gouge on renewal pricing.
Reddit provides an OAuth2 IdP service... but is unhappy when platforms use it? I'm genuinely curious why they provide this service if their legal team then actively chases platforms that use it to get them to desist?
https://www.duckdns.org/reddit.jsp
OAuth login to edit all your comments in a react CMS? OK. OAuth login to to update you server dynamic ips? Not really Reddit focused.
Really more of a failure on the API key generation page where you should (perhaps now do) have to click a "Yes, my thing extends or uses data from reddit" to get a key.
What other auth system should they have used to allow 3rd party login, that some how also handles site intent?
Well, clearly the four other auth options they have don't care about what they're being used for.
I can't stand the amount that folks bend over backwards to accommodate lazy, inconsiderate middle men.
Read my think piece on my ad/pop-up riddled Medium/Substack blog!
Yeah, that's the only reason I'd heard of Duck DNS before - I got some "please sign in to your bank account" text with a link and I saw the domain in the URL was duckdns.org so I looked into it. With behavior like that on their domain, I'd imagine many browsers, firewalls, etc will block them.
Somethings are actually indeed worth the friction-full conversations of "no, sorry please use (anything else) to chat with me".
Although its free, they accept donations via Patreon[0], Paypal etc. Running and maintaining services is not free, so if you're using DuckDNS, contributing would guarantee that the service survives into the future!
[0] https://www.patreon.com/user?u=3209735
The problem was that I had dynamic IP and my isp shit router did not suport DNS services. So I made a simple script that would log in and acess the router information page, get the public IP and update in the DUCK dns with a curl.
Worked Like a charm.
curl "https://api.1984.is/1.0/freedns/?apikey=xxxxxxxxxxxx&domain=..."
If you don't define an IP in the endpoint, it'll automatically look at the IP the request came from.
I have a Huawei Fibre ONT, that only listed DynDNS, NoIP, and a few others. I could get away by using a NextDNS DNS override, and hosting my own script that forwarded the API call to the actual DDNS provider.
[0] https://ngrok.com
> because we can, because before we started we couldn't, learning is fun
That last line about learning has the right spirit!
From memory, EC2 instances only get provisioned a new IP when booted from cold, not a reboot.
One of my friends runs a public instance here, with no guarantees offered.[2]
1: https://github.com/thingless/ddns
2: https://moreorcs.com/domain.html